By: ThreatLabz

30 Days Of Cycbot

Analysis

Introduction:
I started doing some analysis on a beaconing pattern that I observed this past week. Initially the pattern and domains that I observed had little open-source information available for my searches, but as I started widening my search in the logs I found other infected customers across a variety of sectors and was able to track a botnet using a large number of IPs and domains for its command and controls. This is the "Cycbot" botnet... newly detected around August 2010 (reference), it is a botnet that has not appeared much in the media, but appears to be making its rounds infecting hosts in greater numbers- especially within the last month from my perspective.

The Beaconing Pattern:
The pattern typically followed HTTP GET requests with this format:

FQDN/blog/images/3521.jpg?vNUM1=NUM2&tq=BASE64_Data
and the transactions were made with User Agent string: "mozilla/2.0"

The BASE64_Data appears to be base64 encoded "encrypted" data.
The vNUM1=NUM2 parameter was occasionally omitted, when this was omitted I was able to obtain a possible brute-force the BASE64 data that was XOR "encrypted". When the "v" parameter was present I was not able to decrypt. This particular encoded pattern was consistent among infected hosts:

tq=RA1DQxZBDVlUFQN0AQYECRUCBlMVA3QBAwcWQw0BFlhCQw0APXNzJnE9aWQ=

Which might be decoded with:

0x30 XOR key, displaying:
t=ss&q=id%3D1649%26c%3D137&s=1&hrs=0
which is, t=ss&q=id=1649&c=137&s=1&hrs=0

or 0x55 XOR key, displaying a possible cryptic output / command: s:tt!v:nc"4C613>"51d"4C640!t:6!out:7

Note: while tracking the incident back in time, really the only consistent string to trigger on for the beacons are:
  • ?tq=BASE64_data
  • ?vNUM1=NUM2&tq=BASE64_Data
Which by itself could generate some false-positives.

Tracing back in time through our logs, this pattern first emerges the morning of March 10th. From this initial infection to present, the number of infected hosts and C&C IPs/domains used has consistently risen.

Open-Source Information:
Googling around, this was a related and very recently submitted samples to ThreatExpert
These reports identify that the malware opens a backdoor on the infected system (e.g., 59495/TCP), and also shows the MD5 of the submitted samples:
Using the MD5 as a search on VirusTotal, I was able to find recent anti-virus reports with very low detection:
Which is identified as malware names:
Gen:Variant.Kazy.19331, Win32:Cycbot-CL, Win32/Kryptik.MPX

Command and Control Infrastructure:
Tracking the observed infections back over time, I was able to track a fairly robust set of IPs and domains used to keep the botnet alive. Below is the information that I saw since March 10:

C&C Domains
C&C IPs
Some of the C&Cs appear to be sites that were compromised, for example: onlineinstitute.com
In each of the cases of these sites, directory indexing is on, e.g.,
onlineinstitute.com/g7/images/
Many of the sites appear to be hosted by BlueHost.

But the majority of the C&Cs were recently registered domains with registration information ranging from China to Russia to "private" registration. Below is a list of some of the email addresses used (by the criminals) to register the domains,
Using the above information in Google searches, it is possible to correlate other malicious domains. Keep an eye out for Cycbot in your networks, this botnet does not seem to be slowing down. And always be on the lookout for new beaconing patterns that emerge within your environment!

Learn more about Zscaler.